April 15 (Bloomberg) -- The crown jewel of secure websites
is a single string of data - a very long jumble of letters and
numbers and symbols that looks like gibberish. The Heartbleed
bug allows hackers to crack it.

Security professionals demonstrated last weekend that the
recently disclosed Heartbleed bug can be exploited to allow
criminals and intelligence agencies to make off with one of the
most sought-after prizes in hacking: the private keys that
websites rely on to decrypt sensitive information, including
passwords, banking details and health data.

At least six people were able to extract the private key of
a website in a test of the bug’s viability organized by
CloudFlare Inc., said Nick Sullivan, a security architect with
the Internet security company. The results suggest hackers have
stolen encryption keys using the bug and are planning attacks,
he said.

The company set up the competition after stating in an
April 11 blog post (which was reported by the New York Times)
that stealing keys appeared to be very hard or impossible using
Heartbleed, one of the biggest holes in the history of the
Internet. “It turns out we were wrong,” CloudFlare now says.
Sullivan said in an e-mail Sunday that the company was planning
to replace the keys it manages for clients anyway to be safe and
that the contest “made us more confident that the cost was
worthwhile.”

Heartbleed’s Danger

The evidence that a widely used form of encryption called
OpenSSL can be undermined, giving attackers potential access to
websites’ future and past communications, validated fears about
Heartbleed’s danger and added urgency to efforts now entering
their second week to fix computer systems containing it.

Since its discovery, there has been much discussion about
how the flaw could have gone undetected for so long and whether
criminal hackers or government intelligence units might have
exploited it.

Bloomberg News reported April 11 that the National Security
Agency knew about the bug for two years and made it part of its
hacking toolkit. The NSA has since denied that it knew of the
Internet hole before an April 7 report by private security
researchers.

Vulnerable Devices

Millions of smartphones and tablets running Google Inc.’s
Android software are vulnerable to the bug, as are networking
products from Cisco Systems Inc. and Juniper Networks Inc.
Dozens of entities are conducting Internet-wide attack attempts
seeking to exploit Heartbleed, including computers in China that
have been associated with hacking, said J. Alex Halderman, an
assistant professor of electrical engineering and computer
science at the University of Michigan tracking the attacks.

Sites have no way of knowing if their encryption codes have
been stolen, and criminals will soon find ways to automate
techniques for taking them, said Jeremiah Grossman, a Web
application specialist and founder of WhiteHat Security Inc.

“Exploitability matters a great deal!” Grossman wrote in
an e-mail. “After that proof is done, then the black hat tool
to make it scale will come next. And just because the issue is
patched, doesn’t mean the risk is over - far from it.”

Serious Internet Hole

Heartbleed, the result of a simple programming error, is
the kind of security hole that is discovered every few years,
widespread and serious enough that it sends technology companies
around the world scrambling to protect their networks.

Writing the code to exploit it takes creativity and
patience. Good exploit code is something of an art form, and
skilled hackers have signature techniques. Finding a bug and
figuring out that it is exploitable are just the first steps.

Intelligence agencies and criminal syndicates take what
they know and create hacking packages that can be used off-the-shelf to compromise networks. Thus, a single bug can spawn
multiple types of attack bundles. The goal is to maximize the
ability to penetrate a target, while minimizing the chance of
discovery.

The Heartbleed bug could therefore have many consequences,
but the ability to steal private encryption keys is the most
severe.

In encryption, private keys are like the keys to a house.
Only you have them, and they are closely guarded. Public keys,
on the other hand, are what everyone on the Internet sees when
they want to communicate securely with a website. The two are
paired.

Private Key

Stealing the private key gives an intruder unfettered
access to their targets, allowing them to capture data flowing
between websites’ servers and users’ computers.

So far, efforts to fix vulnerable systems appear to be
working. The majority of websites that had the bug have applied
a software patch that protects them. About 12 percent have not,
according to a site called istheinternetfixedyet.com tracking
the progress.

An urgent concern now is that they all revoke the Secure
Sockets Layer, or SSL, digital certificates that handle their
data encryption and contain keys that might have already been
stolen by hackers.

The researchers who discovered Heartbleed said the bug
could exist inside hundreds of millions of websites, based on
the market share of the open-source software that uses OpenSSL.
The number is actually closer to 500,000, because only a
fraction of sites had the vulnerable functionality turned on,
according to Netcraft Ltd., a cyber-security firm based in Bath,
U.K., whose data the researchers used for their original
estimate.

Potential Attack

Of the vulnerable sites, just 30,000 have taken the step of
revoking their encryption certificates, leaving the rest exposed
to potential attack, Netcraft said.

An attack would look like what Ben Murphy, a 30-year-old
software developer in London, did on Saturday after his morning
run.

In a matter of a few hours, Murphy took a publicly
available program designed to exploit Heartbleed flaws, modified
it and trained it on CloudFlare’s contest server using two
machines from Amazon.com Inc.’s cloud-computing service. Out
popped the private key before lunch.

The attack required a basic understanding of encryption,
information that could probably be obtained from an introductory
course on the subject, Murphy said.

“I don’t think dumping the private key was that
difficult,” he wrote in an e-mail.

Multiple Computers

CloudFlare’s test site got 44 million hacking attempts from
2,921 unique Internet Protocol addresses, the company said. The
number of contestants was smaller because some people used
multiple computers.

The contest was designed as a realistic simulation for an
attack, and the contest server used the same software as one-seventh of all websites, Sullivan said.

Ilkka Mattila, an information-security specialist with the
National Cyber Security Centre in Finland, said he was preparing
food and watching television while his program stole the key
with relative ease.

“The implications were mind-boggling,” Mattila wrote in
an e-mail. “Not only would anyone with a stolen key be able to
impersonate any vulnerable service, but also any previous
communication encrypted with the same key would be at risk. I
immediately recalled the stories about large intelligence
organizations storing huge amounts of encrypted traffic ‘in case
they might be decrypted in the future.’ This might be that
day.”

Sensitive Information

Fedor Indutny, a security researcher in Moscow, said he
didn’t think his straightforward approach would lead to such
sensitive information.

“I had no expectation of obtaining the key, because it
doesn’t seem feasible at that time,” Indutny wrote in an e-mail. “Successfully extracting it was a big surprise for me!”

Attackers could go after more than just encryption keys.

Yahoo! Inc. found some of its data spilled onto the
Internet after the Heartbleed discovery.

Mark Loman, chief executive officer of software maker
SurfRight BV in the Netherlands, said the bug was trivial to
exploit and easily made Yahoo’s servers cough up user names,
passwords and other sensitive information. Loman posted some of
it online in redacted form and alerted the company.

Yahoo said within 48 hours that it had fixed the problems
on its main properties. “As soon as we became aware of the
issue, we began working to fix it,” the Sunnyvale, California-based company said in an e-mailed statement April 9.

Yahoo said in an e-mailed statement yesterday that it has
fixed the Heartbleed bug across all of its properties and
declined to address specific questions about the gap between
when the bug was disclosed and when the site was fixed.

There was a silver lining: security professionals contacted
Loman for advice on how to exploit the bug on websites used by
criminals.

“They were anxious to scrape accounts from web servers
belonging to the cybercrime underground forums, to infiltrate
the operations of cybercriminals,” Loman wrote in an e-mail.
“Like Yahoo, the crooks hadn’t patched their Web servers.”